So I was already using a certificate on my Ubuntu 15.10/Apache2 server but it expired. Having heard of Let's Encrypt I decided to switch to it. Unfortunately, I am unable to make it work correclty.
Here is what I've done:
It then installed a bunch of packages and asked me for certificate info : domain name and mail address.
End log :
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter 'c' to cancel):vps158186.ovh.net
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for vps158186.ovh.net
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. vps158186.ovh.net (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 9306bd1878dbffb775d3327851226d25.8edab4427c0c87cedc80a1253933860d.acme.invalid from 176.31.167.47:443. Received 1 certificate(s), first certificate had names "vps158186.ovh.net"
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: vps158186.ovh.net
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
9306bd1878dbffb775d3327851226d25.8edab4427c0c87cedc80a1253933860d.acme.invalid
from 176.31.167.47:443. Received 1 certificate(s), first
certificate had names "vps158186.ovh.net"
Quoting some documentation that I’m in the process of writing:
Offering a specified certificate on a web site
This method is called the TLS-SNI-01 challenge. In this challenge, the certificate authority will expect a specified digital certificate to be provided by the web server in response to an HTTPS request using a particular made-up domain name. The request will be made using HTTPS on TCP port 443. You cannot choose a different port number.
This certificate is a self-signed certificate created by Certbot. You use it only temporarily to prove your control over a domain name. It’s not the same as the certificate for your site that will later be issued by Let’s Encrypt once you’ve proven that you control the site.
Common problems with the TLS-SNI-01 challenge:
You aren’t running Certbot on your web server
Most people should install and run Certbot on their web server hosting their website, not on their laptops or some other computer. While you can use Certbot in manual mode on a laptop and then separately set up the appropriate files on your webserver, it’s not likely to be the most convenient way to get a certificate for most users.
A domain name you’re requesting a certificate for isn’t correctly pointed at that web server
In most cases, every name you’re requesting a certificate for should already exist and be pointed to the server where you’re requesting that certificate. (Some alternatives exist for complex network configurations, but they’re the exception rather than the rule.)
You’re using a content delivery network (CDN)
TLS-SNI-01 doesn’t work with CDNs (like CloudFlare and Akamai). You have to use a different challenge type. (This is a special case of the previous problem: the domain name is pointed at the CDN, not directly at your server.)
A firewall is blocking access to port 443
The certificate authority needs to be able to connect to port 443 of your server in order to confirm that you satisfied the TLS-SNI-01 challenge. So that needs to be publicly reachable from the Internet, and not blocked by a router or firewall.
(With apache plugin)
Certbot thinks you’re running Apache, but you aren’t running it, or you’re running a different server of some kind on port 443
(With apache plugin)
You have more than one virtualhost defined within a single configuration file in /etc/apache2/sites-available (which confuses Certbot; this is a bug which will be fixed in a forthcoming release)
(With nginx plugin)
Certbot thinks you’re running nginx, but you aren’t running it, or you’re running a different server of some kind on port 443
(With apache or nginx plugin)
Certbot doesn’t know how to modify your web server configuration correctly
(With standalone plugin)
You tried to use --standalone when there was already some other program on your server listening to port 443
Your DNS records aren’t valid
Try checking your DNS records with a tool like the DNSchecker at http://www.dnsstuff.com/ to make sure there are no serious errors. Sometimes a DNS error still allows your site to load in a web browser, but prevents the certificate authority from issuing a certificate.
I ruled out the following issues : #1. You aren’t running Certbot on your web server
I’m running it on my server through an SSH connection #2. A domain name you’re requesting a certificate for isn’t correctly pointed at that web server
I can access my server through port 443, but since there’s no index file, it returns a 403 error. #3. You’re using a content delivery network (CDN)
My server is a Virtual Private Server, not sure if it is considered as a CDN. #4. A firewall is blocking access to port 443
See #2. Certbot thinks you’re running Apache, but you aren’t running it, or you’re running a different server of some kind on port 443
Nginx is not installed, plus see #2.
What I think might be the issue : You have more than one virtualhost defined within a single configuration file in /etc/apache2/sites-available (which confuses Certbot; this is a bug which will be fixed in a forthcoming release)
I do have two VirtualHost entries in the same configuration file because of an app running on my server. I have absolutely no clue if this can be done in separate files (I don’t know much about how to configure webservers).
This is probably the problem. You could wait for a forthcoming release that will fix the bug in Certbot that gets confused by this situation, or split these into two configuration files, or use a different authentication method (for example --webroot if you have a server speaking HTTP on port 80).